CernVM-FS  2.12.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
signature.h
Go to the documentation of this file.
1 
5 #ifndef CVMFS_CRYPTO_SIGNATURE_H_
6 #define CVMFS_CRYPTO_SIGNATURE_H_
7 
8 #include <pthread.h>
9 
10 #include <openssl/bio.h>
11 #include <openssl/engine.h>
12 #include <openssl/err.h>
13 #include <openssl/evp.h>
14 #include <openssl/pem.h>
15 #include <openssl/rsa.h>
16 #include <openssl/x509.h>
17 
18 #include <cstdio>
19 #include <map>
20 #include <set>
21 #include <string>
22 #include <vector>
23 
24 #include "crypto/hash.h"
25 #include "util/export.h"
26 
27 namespace signature {
28 
30  public:
31  enum ESignMethod { kSignManifest, kSignWhitelist };
32 
34 
35  void Init();
36  void Fini();
37  std::string GetCryptoError();
38 
39  void UnloadPrivateKey();
40  void UnloadPublicRsaKeys();
41  void UnloadPrivateMasterKey();
42  void UnloadCertificate();
43 
44  bool LoadPrivateMasterKeyPath(const std::string &file_pem);
45  bool LoadPrivateKeyPath(const std::string &file_pem,
46  const std::string &password);
47  bool LoadPrivateMasterKeyMem(const std::string &key);
48  bool LoadPrivateKeyMem(const std::string &key);
49  bool LoadCertificatePath(const std::string &file_pem);
50  bool LoadCertificateMem(const unsigned char *buffer,
51  const unsigned buffer_size);
52  bool WriteCertificateMem(unsigned char **buffer, unsigned *buffer_size);
53  bool KeysMatch();
54  bool VerifyCaChain();
55  std::string Whois();
56  shash::Any HashCertificate(const shash::Algorithms hash_algorithm);
57  std::string FingerprintCertificate(const shash::Algorithms hash_algorithm);
58  static shash::Any MkFromFingerprint(const std::string &fingerprint);
59 
60  bool LoadPublicRsaKeys(const std::string &path_list);
61  bool LoadBlacklist(const std::string &path_blacklist, bool append);
62  std::vector<std::string> GetBlacklist();
63 
64  bool LoadTrustedCaCrl(const std::string &path_list);
65 
66  bool Sign(const unsigned char *buffer, const unsigned buffer_size,
67  unsigned char **signature, unsigned *signature_size);
68  bool SignRsa(const unsigned char *buffer, const unsigned buffer_size,
69  unsigned char **signature, unsigned *signature_size);
70  bool Verify(const unsigned char *buffer, const unsigned buffer_size,
71  const unsigned char *signature, unsigned signature_size);
72  bool VerifyRsa(const unsigned char *buffer, const unsigned buffer_size,
73  const unsigned char *signature, unsigned signature_size);
74  bool VerifyLetter(const unsigned char *buffer, const unsigned buffer_size,
75  const bool by_rsa);
76  bool VerifyPkcs7(const unsigned char *buffer, const unsigned buffer_size,
77  unsigned char **content, unsigned *content_size,
78  std::vector<std::string> *alt_uris);
79  static void CutLetter(const unsigned char *buffer,
80  const unsigned buffer_size,
81  const char separator,
82  unsigned *letter_length,
83  unsigned *pos_after_mark);
84 
85  // Returns the PEM-encoded text of all loaded RSA pubkeys
86  std::string GetActivePubkeys() const;
87  std::vector<std::string> GetActivePubkeysAsVector() const;
88  // The PEM-encoded private key matching the public master key
89  std::string GetPrivateMasterKey();
90  // The PEM-encoded certificate without private key
91  std::string GetCertificate() const;
92  // The PEM-encoded private key matching the certificate
93  std::string GetPrivateKey();
94 
95  void GenerateMasterKeyPair();
96  void GenerateCertificate(const std::string &cn);
97 
98  private:
99  RSA *GenerateRsaKeyPair();
100  std::string GenerateKeyText(RSA *pubkey) const;
101 
102  void InitX509Store();
103 
104  EVP_PKEY *private_key_;
107  std::vector<RSA *> public_keys_;
108  pthread_mutex_t lock_blacklist_;
109  std::vector<std::string> blacklist_;
110  X509_STORE *x509_store_;
111  X509_LOOKUP *x509_lookup_;
112 }; // class SignatureManager
113 
114 } // namespace signature
115 
116 #endif // CVMFS_CRYPTO_SIGNATURE_H_
Failures Verify(unsigned char *manifest_data, size_t manifest_size, const std::string &base_url, const std::string &repository_name, const uint64_t minimum_timestamp, const shash::Any *base_catalog, signature::SignatureManager *signature_manager, download::DownloadManager *download_manager, ManifestEnsemble *ensemble)
std::vector< std::string > blacklist_
Definition: signature.h:109
pthread_mutex_t lock_blacklist_
Definition: signature.h:108
#define CVMFS_EXPORT
Definition: export.h:11
std::vector< RSA * > public_keys_
Definition: signature.h:107
Algorithms
Definition: hash.h:41
static int Init(const loader::LoaderExports *loader_exports)
Definition: cvmfs.cc:2311
X509_LOOKUP * x509_lookup_
Definition: signature.h:111
static void Fini()
Definition: cvmfs.cc:2534